AWSTemplateFormatVersion: "2010-09-09"

Description: Provides configuration for Client VPN Endpoint.

Parameters:
  ClientCidrBlock:
    Type: String
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$

  ServerCertificateArn:
    Type: String

  ClientCertificateArn:
    Type: String

  SubnetID:
    Type: AWS::EC2::Subnet::Id

  TargetNetworkCidr:
    Type: String
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$

  VpcID:
    Type: AWS::EC2::VPC::Id

  ClientVPNSecurityGroup:
    Type: AWS::EC2::SecurityGroup::Id

  ResourceTags:
    Type: String

Resources:
  ClientVpnEndpoint:
    Type: AWS::EC2::ClientVpnEndpoint
    Properties:
      Description: Client VPN to connect to instances in Private Subnet 1
      AuthenticationOptions:
        - MutualAuthentication:
            ClientRootCertificateChainArn: !Ref ClientCertificateArn
          Type: certificate-authentication
      ClientCidrBlock: !Ref ClientCidrBlock
      ConnectionLogOptions:
        Enabled: false
      ServerCertificateArn: !Ref ServerCertificateArn
      VpcId: !Ref VpcID
      SecurityGroupIds:
        - !Ref ClientVPNSecurityGroup
      TagSpecifications:
        - ResourceType: client-vpn-endpoint
          Tags:
            - Key: Name
              Value: !Join [/, [!Ref ResourceTags, client-vpn]]

  VpnEndpointTargetNetworkAssociation:
    Type: AWS::EC2::ClientVpnTargetNetworkAssociation
    Properties:
      ClientVpnEndpointId: !Ref ClientVpnEndpoint
      SubnetId: !Ref SubnetID

  VpnEndpointAuthorizationRule:
    Type: AWS::EC2::ClientVpnAuthorizationRule
    Properties:
      Description: Allow access to studio host subnet
      ClientVpnEndpointId: !Ref ClientVpnEndpoint
      AuthorizeAllGroups: true
      TargetNetworkCidr: !Ref TargetNetworkCidr

  InternetAuthRule:
    Type: AWS::EC2::ClientVpnAuthorizationRule
    Properties:
      Description: Allow access to internet
      ClientVpnEndpointId: !Ref ClientVpnEndpoint
      AuthorizeAllGroups: true
      TargetNetworkCidr: 0.0.0.0/0

  InternetRoute:
    Type: AWS::EC2::ClientVpnRoute
    DependsOn: VpnEndpointTargetNetworkAssociation
    Properties:
      Description: Route to the internet
      ClientVpnEndpointId: !Ref ClientVpnEndpoint
      TargetVpcSubnetId: !Ref SubnetID
      DestinationCidrBlock: 0.0.0.0/0

Outputs:
  ClientVpnEndpointID:
    Value: !Ref ClientVpnEndpoint